NAC agent is giving pop up on client side. i have chain.pem in hand ? what to do ?

Answered Question
Jul 25th, 2010
User Badges:

i have asked my client to push chain.pem file to all the active directory users but he is saying it is not working, Attached is the screenshot of the popup he is getting ????


I have asked him to try chain.pem export from GUI from NAS/CAS machine....


and if dont work i asked him to try chain.pem export from GUI from NAM/CAM machine.....


? what mistakes or things he should take care in the GPO of ACTIVE DIRECTORY ??? any guidance please......

Correct Answer by Faisal Sehbai about 6 years 9 months ago

Kamran,


You just need to install the root certificate of the CA which signed the CASs certificate. If the CAS certificate is self-signed, you just need the CAS certificate and have that installed in the root stores of the client machines.


Please verify with your client what is he pushing out to his machines, and how. Check on an affected machine to see if they have the root cert in their store or not.


HTH,

Faisal

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Faisal Sehbai Sun, 07/25/2010 - 22:44
User Badges:
  • Gold, 750 points or more

Hi,


What is this chain.pem? Is it the root certificate which has signed the CAS certificate, or is it the CAS certificate itself?


Faisal

game123 Mon, 07/26/2010 - 00:09
User Badges:

Well, here is the thing :


1. I last time did whole procedure with your last posting on another discussion bullet , and openssl worked well enough !



2. Now from GUI i can see that i can export the chain.pem file both from NAS and NAM......right !!!


3. All is working fine but customer complained that he is getting pop up messages on client side. I suggested him to export the certificate from NAS and import in AD 2008 in and push thru GPO to clients..... ( i am not sure he did this or not ) , but later he said it didnt work....


4. Then I asked him to try it out with NAM certificate export and test it. he said it didnt work and clients still get the message pop up.



The fact is when we export from GUI the file name is the same chain.pem from both the boxes......  so is there any tip or clue as to how to see this and rectify the issue for the clients....


???


Kamran...

Correct Answer
Faisal Sehbai Mon, 07/26/2010 - 07:48
User Badges:
  • Gold, 750 points or more

Kamran,


You just need to install the root certificate of the CA which signed the CASs certificate. If the CAS certificate is self-signed, you just need the CAS certificate and have that installed in the root stores of the client machines.


Please verify with your client what is he pushing out to his machines, and how. Check on an affected machine to see if they have the root cert in their store or not.


HTH,

Faisal

Actions

This Discussion